Amazon Cognito has a number of system-reserved scopes:
But doesn't document what they give access to.
The first 3 are fairly self-explanatory. I would expect profile to mean the user profile.
I've found by trial-and-error that I need aws.cognito.signin.user.admin
to use the Amazon Cognito Get User API call. I would have expected this to be profile
instead, but OK, fine.
What I'm concerned about is what else aws.cognito.signin.user.admin
might do. If I let 3rd party clients request this scope, what am I giving them access to?
The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.
Allowed OAuth ScopesThe email scope grants access to the email and email_verified claims. This scope can only be requested with the openid scope. The openid scope returns all user attributes in the ID token that are readable by the client.
Configure the external provider in the Amazon Cognito console. Choose Manage Identity Pools from the Amazon Cognito console home page : Choose the name of the identity pool where you want to enable Login with Amazon as an external provider. The Dashboard page for your identity pool appears.
With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.
The aws.cognito.signin.user.admin
scope gives you access to all the User Pool APIs that can be accessed using access tokens alone (full documentation here).
Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string"
, then an access token granted using aws.cognito.signin.user.admin
will be able to call it.
As a rule, the Cognito UserPools API's (and it's only Cognito UserPool APIs) that authorise like this are ones that allow you to modify something on your own UserPools profile (i.e. do not start with Admin
and affect a single profile):
At a glance through the API, these actions are (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With